1、State of PentestingReport 2025STATE OF PENTESTING REPORT 2025|2TABLE OF CONTENTSForewordExecutive summaryPentesting perspectivesTop pentest findingsWeb applications and APIsMobile applicationsAI and LLMsSeverity of findingsResolution of findingsTime to resolutionHalf-life of findingsAll together now

2、Recommendations from this analysisResearch methodologyPentesting dataSurvey sampleAbout Cobalt and Cyentia34589101113162127293031313132STATE OF PENTESTING REPORT 2025|3Thank you for reading the State of Pentesting Report 2025,our assessment of the results of thousands of pentests conducted via the C

3、obalt Offensive Security Platform.Looking back at the very first report in this series,published in 2019,its remarkable how much the security landscape has changed,and how weve changed with it.Cobalt,the pioneer in Pentesting as a Service,is now at the forefront of testing AI models and applications

4、.Weve found that AI security is lagging far behind the pace of AI adoption.Our LLM testing finds more vulnerabilities than any other type of test,and only 21%of the highest risk LLM vulnerabilities are resolved.At the same time,security leaders are unfazed,but perhaps overconfident.While 81%are cert

5、ain they meet security compliance,pentesting data tells a more complicated story.Although SLAs aim for two-week remediation windows,the real time to resolution often stretches to months or even years.It takes over three months for just half of the most serious issues to be resolved.Development and s

6、ecurity teams have made strides in reducing high-risk vulnerabilities,and the time to resolve these findings dropped by two-thirds over the past decade.These improvements were likely driven by increased adoption of structured pentesting programs over ad hoc testing,and more rigorous security standar